VidShop WooCommerce Plugin WordPress SQL Injection Vulnerability

A time-based SQL injection vulnerability has been identified in the VidShop – Shoppable Videos for WooCommerce plugin for WordPress, affecting all versions through 1.1.4. The vulnerability arises from inadequate escaping of user-supplied data in the 'fields' parameter, allowing unauthenticated attackers to inject additional SQL queries. This exploitation could lead to the extraction of sensitive information from the database.

Impact

Exploitation of this vulnerability allows for time-based SQL injection, where an attacker can manipulate SQL queries to extract data from the database. This could include sensitive information such as user data or other critical database contents.

Reproduction

To reproduce this vulnerability, send a request to the WordPress site with the 'fields' parameter including unescaped SQL injection payloads. The injection can be verified by observing the response time, which will be delayed based on the payload's execution.

Remediation

Users are advised to update the VidShop – Shoppable Videos for WooCommerce plugin to version 1.1.5 or later, where this vulnerability has been patched.